This is a living document! Please consider checking back every once in a while in case we've made adjustments, corrections, or added new content 
Cheats are nifty little things. Cheaters, of course, are not. So it's about time you silly little gooses learned what they do and how to spot them in order to sweep those little buggers off of our servers.
Yes, cheaters can see when you spectate them.
It's a thing. Some cheats will even turn off features automatically when the cheater is being spectated. So while you're welcome to spectate cheaters, just know that if someone really is injected there is a good chance they will know you're breathing down their neck
(It's theoretically possible to prevent cheaters from knowing you are spectating them, but it's a lot of work and we haven't had the chance to sit down and truly evaluate it's feasibility)
Netcode
[Extra Reading - Background Information]
Oh yeah, it's netcode time. Source engine netcode is pretty interesting: simultaneously being extremely resilient and quite forgiving. At the heart of Source engine netcode is the UserCmd. One UserCmd is created per tick, which contains the player's buttons (attack, move left, switch weapon, etc), aim direction, and velocity, among other things. The server processes all new UserCmds every tick, but it rewinds the server to the point where the tick was sent, not the current tick that the server is running on. This process is called lag compensation.
The process of lag compensation is fairly complex, and actually fully rewinds all other players to the position that the player should have seen. It does this by taking note of each player's latencies and tries to find the last tick the server sent to the player that the player has received. In other words, the server is very much trying to accurately guess exactly what the player is seeing.
However, things can (and do!) go wrong. Packets are often received out of order, dropped, or choked when the client or server isn't able to send the packet within the bandwidth target. (Choking means that the packet is being held onto instead of being sent). Furthermore, every UserCmd comes with several backup cmds in case a single packet was lost; these can be used to get the last few movement commands from a player if the server didn't get them in time.
Anti-Aim
There are many ways to go about adding anti-aim to a cheat, but ultimately all an anti-aim does is de-synchronize the model that the server sees with the model that other clients see. This can work because the server isn't always perfect about which packet it gets it's movement information from, and it also isn't always perfect when it comes to sanitizing user input before touching it.
[Extra Reading - Background Information]
The source engine has a mechanism called a send proxy for datatables that determines the value that the client sees, which does not always align with the value that the user sees. For example, a sendproxy saturates the viewmodel vector to have an angle within [-180, 180] degrees, but the server itself doesn't have that check itself, so a server can "see" a different value than a client.
For example, the logic that handles player view angles doesn't lock the view angles to reasonable values (-180 < x < 180), but the networking code does properly handle these angles. As a result, players can see cheaters rotated at 90 degrees, while the server sees the cheater at 180 degrees. No bueno!
One very creative form of anti-aim was found in the animation system using packet chokes. While the latest choked packet is sent to other players, the first choked packet is what's used by the animation system to place the player's hitbox in the world. Thus, players could literally give specifically the server a different view angle, without the players seeing any indication that the player was cheating!
[TF2] In TF2, anti-aim sometimes takes the form of anti-backstab, where the client sends illegal angles that can prevent a spy from backstabbing them (due to weird math weirdness) without appearing suspicious. The spy, unfortunately, will be none the wiser and will just think they lagged out.
Luckily, some forms of anti-aim are detected by server-side anti-cheats, and many have been patched by valve over the years. (Official CS:GO servers used to detect some forms of anti-aim, presumably to help build VACnet!) Today anti-aiming is mostly only found in hack-vs-hack servers, or only very slightly used in "legit" cheating.
Aimbot
The sauce, the goodness: It's time for Aimbot! Aimbot is one of the easiest and hardest forms of cheating to detect; for some players it's clear as day, but for others it can take a little bit of a deep dive.
Aimbots, of course, move the player's mouse to point at an enemy player's hitbox. However, the exact details are handled by different cheats in different ways:
[Spot it!]
"Legitimate" aimbot (such as smoothed aim or removing recoil) is hard to spot. But you should still keep your eye out for the obvious cases:
Airstuck Exploits
"Airstuck" is a broad term for exploits that allow the client to not move for extended periods of time. The client can effectively "freeze" it's momentum and stay in place until the cheat allows it to unfreeze. The most common form of airstuck is simply not sending any usercmds (not choking--just sending none at all) while still maintaining the connection.
Airstuck is mostly used in HvH and rage cheat contexts, and is rarely used stealthily.
[TF2] Airstuck is patched on Team Fortress 2, but can still be used for short periods of time (~5s)
[CSS] Airstuck is unpatched (to the best of my knowledge!) in Counter-Strike Source. Keep a look out for clients hovering slightly above the ground for extended periods of time! (Be sure there isn't an invisible clip brush there, too)
Lag Exploits
Lag exploits will typically take one or two paths, depending on what the server will allow a player to do:
[Extra Reading - Background Information]
Whenever a server is having performance struggles, we'll typically take a vprof trace over the course of a few seconds to see if anything out of the ordinary is going on. In many cases, the cause of the lag will be clear from just viewing the trace alone.
ESP
Yeah, so there's pretty much nothing you can do to truly detect ESP, besides looking for suspicious behavior. But still, we should talk about some common misconceptions:
Fakelag
Fakelag is a technique that takes advantage of choking. Essentially, players will only send their packets X times a second instead of once every tick, and will choke packets to prevent them from being sent prematurely. The server will properly fast-forward the player in time, including all their actions they took while choked! Players will see this as the cheater "teleporting" or lagging across the map as they move.
Unlike the game's built in "fake lag" used for testing, Fakelag cheats will prevent packets from being sent rather than artificially adding latency. (although they can, of course, do this too)
Fakelag is rarely used in "legitimate" settings, and is mostly used in hack vs hack contexts to try and confuse other cheats (or teleport around corners instantly without giving other cheaters time to react!)
[Spot It!]
If you see a player "Teleporting" across the map, they are probably using fakelag.
A cheater plays against another cheater using fakelag. Video from d3m0man used under fair use
Fake Latency
Fake latency simply adds latency to outgoing packets (but not incoming ones!), which can be used for a variety of legit and rage cheating methods. Since the latency is only on outgoing packets, the client will still see game updates in real time, unlike a true laggy player. [TF2] For example, fake latency is often used in combination with auto-backstabs in Team Fortress 2 to ""trickstab"" players.
Note that it is very unusual for legitimate players to have latencies over 200; look closer if you spot this in-game. [TF2] Spies with latencies over 400 are probably cheating.
Backtrack
Backtracking is a subtle form of cheating where a client artificially increases their latency for one command to throw off lag compensation. As a result of the increased latency, the game will search father back in time to find an appropriate tick to rewind to, thus giving the "backtrack" effect. (The client can also forward track by tricking the server into choosing a more recent tick to rewind to, but that's a whole other can of worms).
Backtracking can be used as an alternate form of aimbot; for example, if we are cheating and a player crosses our crosshair, then it would be harder to see our "cheating" if we backtracked to when the player was over our crosshair than if we snapped to their head's position in the now.
Since backtracking can occur both forwards and backwards, many weird hits (such as those hitting players that have not yet peeked around a corner, or those that have just dived behind cover) could be backtracks. However, they also could have just been good shots
[TF2] In team fortress 2, backtrack is frequently used by cheating spies to enable them to hit more egregious backstabs. However, not all suspicious backstabs (or "facestabs") are backtracks; TF2 is just weird sometimes. A recurring pattern of weird stabs, though, should be investigated.
[Spot It!]
Backtracking is tricky to spot. In general, the lower your + their latency is, the shorter the backtrack distance should be.
Cheats are nifty little things. Cheaters, of course, are not. So it's about time you silly little gooses learned what they do and how to spot them in order to sweep those little buggers off of our servers.
Yes, cheaters can see when you spectate them.
It's a thing. Some cheats will even turn off features automatically when the cheater is being spectated. So while you're welcome to spectate cheaters, just know that if someone really is injected there is a good chance they will know you're breathing down their neck
(It's theoretically possible to prevent cheaters from knowing you are spectating them, but it's a lot of work and we haven't had the chance to sit down and truly evaluate it's feasibility)
Netcode
[Extra Reading - Background Information]
The process of lag compensation is fairly complex, and actually fully rewinds all other players to the position that the player should have seen. It does this by taking note of each player's latencies and tries to find the last tick the server sent to the player that the player has received. In other words, the server is very much trying to accurately guess exactly what the player is seeing.
However, things can (and do!) go wrong. Packets are often received out of order, dropped, or choked when the client or server isn't able to send the packet within the bandwidth target. (Choking means that the packet is being held onto instead of being sent). Furthermore, every UserCmd comes with several backup cmds in case a single packet was lost; these can be used to get the last few movement commands from a player if the server didn't get them in time.
Anti-Aim
There are many ways to go about adding anti-aim to a cheat, but ultimately all an anti-aim does is de-synchronize the model that the server sees with the model that other clients see. This can work because the server isn't always perfect about which packet it gets it's movement information from, and it also isn't always perfect when it comes to sanitizing user input before touching it.
[Extra Reading - Background Information]
The source engine has a mechanism called a send proxy for datatables that determines the value that the client sees, which does not always align with the value that the user sees. For example, a sendproxy saturates the viewmodel vector to have an angle within [-180, 180] degrees, but the server itself doesn't have that check itself, so a server can "see" a different value than a client.
For example, the logic that handles player view angles doesn't lock the view angles to reasonable values (-180 < x < 180), but the networking code does properly handle these angles. As a result, players can see cheaters rotated at 90 degrees, while the server sees the cheater at 180 degrees. No bueno!
One very creative form of anti-aim was found in the animation system using packet chokes. While the latest choked packet is sent to other players, the first choked packet is what's used by the animation system to place the player's hitbox in the world. Thus, players could literally give specifically the server a different view angle, without the players seeing any indication that the player was cheating!
[TF2] In TF2, anti-aim sometimes takes the form of anti-backstab, where the client sends illegal angles that can prevent a spy from backstabbing them (due to weird math weirdness) without appearing suspicious. The spy, unfortunately, will be none the wiser and will just think they lagged out.
Luckily, some forms of anti-aim are detected by server-side anti-cheats, and many have been patched by valve over the years. (Official CS:GO servers used to detect some forms of anti-aim, presumably to help build VACnet!) Today anti-aiming is mostly only found in hack-vs-hack servers, or only very slightly used in "legit" cheating.
Aimbot
The sauce, the goodness: It's time for Aimbot! Aimbot is one of the easiest and hardest forms of cheating to detect; for some players it's clear as day, but for others it can take a little bit of a deep dive.
Aimbots, of course, move the player's mouse to point at an enemy player's hitbox. However, the exact details are handled by different cheats in different ways:
- How do we move the mouse? Do we do an instant snap, or do we move it slowly to make it look like a real player?
- Where specifically do we aim at? Do we always pick the head, or will we sometimes aim at the chest or a leg to throw players off?
- When do we shoot? Do we let the player do the honors, or do we just simulate a mouse press ourselves?
- How much will we move the player's mouse? Will we only snap to players close to the mouse, or will we risk being outed as a cheater and make wider movements to hit enemies?
[Spot it!]
"Legitimate" aimbot (such as smoothed aim or removing recoil) is hard to spot. But you should still keep your eye out for the obvious cases:
- Aim Snap, where the cheat enables the aimbot for one tick only to fire a perfect shot
- Silent Aim, similar to aim snap, but when the aimbot then snaps back to where the player was originally looking to make it seem as if they never switched directions at all. This can be pretty obvious
Airstuck Exploits
"Airstuck" is a broad term for exploits that allow the client to not move for extended periods of time. The client can effectively "freeze" it's momentum and stay in place until the cheat allows it to unfreeze. The most common form of airstuck is simply not sending any usercmds (not choking--just sending none at all) while still maintaining the connection.
Airstuck is mostly used in HvH and rage cheat contexts, and is rarely used stealthily.
[TF2] Airstuck is patched on Team Fortress 2, but can still be used for short periods of time (~5s)
[CSS] Airstuck is unpatched (to the best of my knowledge!) in Counter-Strike Source. Keep a look out for clients hovering slightly above the ground for extended periods of time! (Be sure there isn't an invisible clip brush there, too)
Lag Exploits
Lag exploits will typically take one or two paths, depending on what the server will allow a player to do:
- Log spam: Printing messages to the server log isn't cheap, so if a player can get thousands or tens of thousands of logs to be written in a single tick, that could cause some noticeable disruption. We had this issue a lot in CSGO: cheaters found a way to print tens of thousands of log messages with a single packet. The lovely reverse engineer backwards found the patch for this, and it was used happily on our servers until the death of CSGO.
- Packet Spam: By default, the source engine server just lets you send as many packets as you please. This can cause issues in the server code that handles the packets. This happened recently on our Dust 2 server, where cheaters spammed voice packets that caused our auto-muting system to lag out the server.
[Extra Reading - Background Information]
Whenever a server is having performance struggles, we'll typically take a vprof trace over the course of a few seconds to see if anything out of the ordinary is going on. In many cases, the cause of the lag will be clear from just viewing the trace alone.
ESP
Yeah, so there's pretty much nothing you can do to truly detect ESP, besides looking for suspicious behavior. But still, we should talk about some common misconceptions:
- Tracking players through walls means someone has ESP
This is just not true, many completely legitimate players trace people through walls as part of their normal gameplay. In addition, some "legit" cheats will intentionally hide players until they are just around a corner, to prevent players from acting suspiciously. - [CSS] Seeing through a flashbang means a player has anti-flash!
This really, really depends. Sure, they could be cheating, but there's also a myriad of cases that can cause a flash to spontaneously not register. In fact, there are some cases where you are spectating a player being flashbanged and only one of you ends up actually being flashed! - ESP always means seeing through walls
Several professional cheaters have been accused of cheating by using a very subtle aimbot as a form of ESP; as in they would press a key to have their mouse slowly move to point towards the nearest player, to reveal their location. Some TF2 cheats include a feature that flashes a warning when an enemy spy approaches you from behind. ESP doesn't always come in the outlines-through-walls form you'd think of!
Fakelag
Fakelag is a technique that takes advantage of choking. Essentially, players will only send their packets X times a second instead of once every tick, and will choke packets to prevent them from being sent prematurely. The server will properly fast-forward the player in time, including all their actions they took while choked! Players will see this as the cheater "teleporting" or lagging across the map as they move.
Unlike the game's built in "fake lag" used for testing, Fakelag cheats will prevent packets from being sent rather than artificially adding latency. (although they can, of course, do this too)
Fakelag is rarely used in "legitimate" settings, and is mostly used in hack vs hack contexts to try and confuse other cheats (or teleport around corners instantly without giving other cheaters time to react!)
[Spot It!]
If you see a player "Teleporting" across the map, they are probably using fakelag.
A cheater plays against another cheater using fakelag. Video from d3m0man used under fair use
Fake Latency
Fake latency simply adds latency to outgoing packets (but not incoming ones!), which can be used for a variety of legit and rage cheating methods. Since the latency is only on outgoing packets, the client will still see game updates in real time, unlike a true laggy player. [TF2] For example, fake latency is often used in combination with auto-backstabs in Team Fortress 2 to ""trickstab"" players.
Note that it is very unusual for legitimate players to have latencies over 200; look closer if you spot this in-game. [TF2] Spies with latencies over 400 are probably cheating.
Backtrack
Backtracking is a subtle form of cheating where a client artificially increases their latency for one command to throw off lag compensation. As a result of the increased latency, the game will search father back in time to find an appropriate tick to rewind to, thus giving the "backtrack" effect. (The client can also forward track by tricking the server into choosing a more recent tick to rewind to, but that's a whole other can of worms).
Backtracking can be used as an alternate form of aimbot; for example, if we are cheating and a player crosses our crosshair, then it would be harder to see our "cheating" if we backtracked to when the player was over our crosshair than if we snapped to their head's position in the now.
Since backtracking can occur both forwards and backwards, many weird hits (such as those hitting players that have not yet peeked around a corner, or those that have just dived behind cover) could be backtracks. However, they also could have just been good shots
[TF2] In team fortress 2, backtrack is frequently used by cheating spies to enable them to hit more egregious backstabs. However, not all suspicious backstabs (or "facestabs") are backtracks; TF2 is just weird sometimes. A recurring pattern of weird stabs, though, should be investigated.
[Spot It!]
Backtracking is tricky to spot. In general, the lower your + their latency is, the shorter the backtrack distance should be.
Last edited:
